The IT implications of changes in government

A secure identity management system is vital if governments are to protect data as staff join, move and leave.

The public sector is characterised by change, especially in times of political instability. Case in point: Australia has had six prime ministers in 11 years, with a federal election coming up this year. With any shake-up in leadership, cabinet or MPs, thousands of people step into new roles and are given new responsibilities. For context, according to the ABS, across federal, state and local government there are close to two million public sector employees. And with change on the horizon, there will be a transition process, including for IT.

In identity management, we frequently talk about the user life cycle: joiner, mover, leaver. All of those people moving about an organisation have accounts and access privileges that must be updated, modified or deleted as they join the organisation, move around into various roles and, eventually, leave.

This joiner–mover–leaver life cycle is a colossal identity governance problem. Public-sector IT professionals must remember that where change happens, vulnerability is introduced. For example, Edward Snowden didn’t have a ‘leave’ point, but he did have high-level privileges that he kept as he moved within the US Government. He retained entitlements that he shouldn’t have kept as his role changed, which ultimately gave him inappropriate access to sensitive data and information.

To avoid similar scenarios, it is absolutely critical that public-sector organisations and agencies have a good system and strong processes in place to govern user access to all applications and all data.

Authentication is a critical first step — but alone, it is not enough. In the security industry, we often talk about the five As of security. Authentication (knowing who the person is) is the first, followed by authorisation (knowing what the person can access in a given system), audit (having the ability to create oversight), analytics (visibility and investigation) and administration (that is, managing all of the above across all users, applications and data).

Identity governance provides strong administration, audit and oversight of who has access to systems, resources and data. It provides intelligence and awareness about who has access, what users are doing with that access, and the visibility and control over all corporate applications and data — whether they are in the cloud or on premises.

This last point is particularly important in the public sector. Gartner estimates 80% of all data in the world is stored in files, often in insecure locations. Many federal, state and local governments and agencies have no visibility into where these files reside, what they contain and who can access this data. This gap has the potential to improperly expose sensitive citizen data to individuals or groups with questionable or even malicious intent.

Public-sector organisations are under increased scrutiny over their defence posture against foreign entities and insiders. They’re also often understaffed and under-resourced. Accordingly, approaching identity governance the traditional way — using spreadsheets and manual processes — can lead to a sense of futility, to say the least.

More organisations are recognising the importance of official identity programs, with federal government leading the charge. However, the identity journey for many public-sector organisations is largely just getting started. Taking it to the next step requires a comprehensive approach, one that spans all users — no matter their stance in the organisation — and their access to all data and applications. This is the only way to provide the right oversight and governance controls as they move about the organisation, ensuring the access of all digital identities within the agency.

Image credit: ©stock.adobe.com/au/Sikov

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.